Security Warnings

 
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates
View previous topic :: View next topic  
Author Message
loloyd
-


Joined: 03 Mar 2006
Posts: 435
Location: Philippines

PostPosted: Mon Jul 16, 2007 2:21 am    Post subject: Security Warnings Reply with quote

I am browsing locally using Firefox 2.0.0.4 on Windows XP where my Abyss 2.5 Beta 1 resides. I'm not really savvy with HTTPS and SSL but, to my understanding, packet transmissions over HTTPS should well be encrypted, as per definition.

Why is it then that my Firefox reports a Security Warning like this? Why is it that I only get partial encryption? Shouldn't all packet transmissions be encrypted in HTTPS?




_________________

http://home.loloyd.com/ is online if the logo graphic at left is showing.
Back to top View user's profile Send private message Visit poster's website
aprelium-beta
-


Joined: 24 Jun 2004
Posts: 383

PostPosted: Mon Jul 16, 2007 9:38 pm    Post subject: Re: Security Warnings Reply with quote

loloyd,

That's not a server issue. It's related to your HTML page code.

It seems that you are viewing a HTML page over HTTPS while this page references some HTTP images (or other embedded objects). This makes most browsers complain and report a warning.

So try removing the hard coded http:// links from your page. Does that help?
_________________
Beta Testing Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
loloyd
-


Joined: 03 Mar 2006
Posts: 435
Location: Philippines

PostPosted: Tue Jul 17, 2007 5:14 am    Post subject: Reply with quote

Yes, that helps! You're right. Thank you very much.

I also did some crude tests. I src'd images from external http only sites and the security set did not complain. I think what's causing the security alerts to pop up are my src'd (embedded) videos. It is now my belief (yeah not very scientific admittedly) that only tags with SRC= attribute are affected by this.

Any additional insights are very much welcome.
_________________

http://home.loloyd.com/ is online if the logo graphic at left is showing.
Back to top View user's profile Send private message Visit poster's website
aprelium-beta
-


Joined: 24 Jun 2004
Posts: 383

PostPosted: Tue Jul 17, 2007 10:31 pm    Post subject: Reply with quote

loloyd,

This warning message is controlled by the checbox "I'm about to view an encrypted page that contains some unencrypted information" in Settings inside the Security tab of Firefox preferences ( http://www.mozilla.org/support/firefox/options#security ).
_________________
Beta Testing Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
loloyd
-


Joined: 03 Mar 2006
Posts: 435
Location: Philippines

PostPosted: Wed Jul 18, 2007 3:15 am    Post subject: Reply with quote

It's not really the checkbox I'm concerned about or the pop up alert. It's the sense of not having all parts of the content encrypted. It makes our HTTPS website users feel less secure when transacting with the site, especially when there's a heavy consideration on security. Leaving an HTTPS website "partially secured" would be ugly in my opinion, and it somehow defeats the purpose of installing an HTTPS server on it.
_________________

http://home.loloyd.com/ is online if the logo graphic at left is showing.
Back to top View user's profile Send private message Visit poster's website
aprelium-beta
-


Joined: 24 Jun 2004
Posts: 383

PostPosted: Wed Jul 18, 2007 11:01 pm    Post subject: Reply with quote

loloyd,

Sorry, but we don't see the problem here. It's up to the web site designer to make pages serve everything from a HTTPS request to avoid that situation. The server can do nothing if you have hard coded a http:// inside your page.

So for example, instead of using:

Code:
<IMG SRC="http;//mysite/test.jpg">


write:

Code:
<IMG SRC="/test.jpg">


The second chunk will never raise any warning and will work regardless of your domain name and the protocol you're going to choose when deploying the site.
_________________
Beta Testing Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
loloyd
-


Joined: 03 Mar 2006
Posts: 435
Location: Philippines

PostPosted: Thu Jul 19, 2007 12:46 am    Post subject: Reply with quote

loloyd wrote:
Yes, that helps! You're right. Thank you very much.


As I said before, you are right. That is the kind of crude test I have just implemented as described in my earlier post. I was able to "fully secure" my web pages when I removed all external SRC="HTTP://..." references. What I was merely pointing out was my opinion regarding partially encrypted content. Us website makers should indeed avoid partially encrypted content when using HTTPS. And, advising our website users to switch off the pop up alert on this with their browsers if we are hosting partially encrypted content would be a less desirable option.

So there was actually no problem with the Abyss Beta 1 server. The problem lies within the webmaster's pages. :D
_________________

http://home.loloyd.com/ is online if the logo graphic at left is showing.
Back to top View user's profile Send private message Visit poster's website
aprelium-beta
-


Joined: 24 Jun 2004
Posts: 383

PostPosted: Fri Jul 20, 2007 12:05 am    Post subject: Reply with quote

loloyd wrote:
So there was actually no problem with the Abyss Beta 1 server. The problem lies within the webmaster's pages. :D


:-)
_________________
Beta Testing Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
Mahindra
-


Joined: 23 Aug 2011
Posts: 3
Location: Grimsby england

PostPosted: Thu Oct 13, 2011 12:35 am    Post subject: Security Warnings Reply with quote

dgroos:

If you want to avoid the security warnings, then you will need to create buy a SSL Certificate from a certified authority.

A self-signed Certificate as the one you probably have is not "trusted", so the users are prompted to add your site the CmapServers site in the list of trusted places. If they add the certificate, then they wont be prompted anymore.
_________________
No hay todavia.
Back to top View user's profile Send private message Send e-mail ICQ Number
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group